On Tue, Sep 04, 2012 at 05:57:28AM +0200, Jan Engelhardt wrote:
>
> On Tuesday 2012-09-04 02:14, Maciej Żenczykowski wrote:
>
> >+<----->if (cs->target->alias == NULL)^M
> >+<-----><------>strcpy(cs->target->t->u.user.name, cs->jumpto);^M
> >+<----->else^M
> >+<-----><------>strcpy(cs->target->t->u.user.name, cs->target->alias);^M
> >
> >I'd have probably written if (cs->target->alias) copy(alias) else copy(jumpto)
> >
> >doesn't this all really belong in the CT files now?
> >ie. libxt_CT.c not libxt_NOTRACK.c
>
> I think so too.
> Furthermore, I have refined Pablo's patch.
>
> 0. vcurrent was not updated, now done.
> 1. Loading libxt_NOTRACK.so would still ask the kernel for NOTRACK.0
> (function "compatible_revision"), now addressed.
> 2. NOTRACK.0 can now directly map to CT.1, instead of going through CT.0.
> 3. Do away with libxt_NOTRACK.c, and resolve the dlopen call by
> providing a symlink.
>
> Not solved:
> 4. Since NOTRACK now always maps to CT, "-j NOTRACK"
> has become unusable on sufficiently old kernels.
> Should we even bother?
>
> [ Agglomeration of two patches in git://git.inai.de/iptables master ]
> diff --git a/configure.ac b/configure.ac
> index 861f5b3..a45d9ab 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -2,8 +2,8 @@
> AC_INIT([iptables], [1.4.15])
>
> # See libtool.info "Libtool's versioning system"
> -libxtables_vcurrent=8
> -libxtables_vage=1
> +libxtables_vcurrent=9
> +libxtables_vage=0
>
> AC_CONFIG_AUX_DIR([build-aux])
> AC_CONFIG_HEADERS([config.h])
> diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
> index 218dc3a..92ac63d 100644
> --- a/extensions/GNUmakefile.in
> +++ b/extensions/GNUmakefile.in
> @@ -39,6 +39,7 @@ endif
> # Wildcard module list
> #
> pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c)))
> +pfx_build_mod += NOTRACK
> @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c)))
> @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c)))
> pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
> @@ -100,6 +101,8 @@ lib%.oo: ${srcdir}/lib%.c
> xt_RATEEST_LIBADD = -lm
> xt_statistic_LIBADD = -lm
>
> +libxt_NOTRACK.so: libxt_CT.so
> + ln -s $< $@
>
> #
> # Static bits
> diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c
> index 27a20e2..8012a59 100644
> --- a/extensions/libxt_CT.c
> +++ b/extensions/libxt_CT.c
> @@ -248,6 +248,13 @@ static void ct_save_v1(const void *ip, const struct xt_entry_target *target)
> printf(" --zone %u", info->zone);
> }
>
> +static void notrack_tg_init(struct xt_entry_target *target)
> +{
> + struct xt_ct_target_info_v1 *info = (void *)target->data;
> +
> + info->flags |= XT_CT_NOTRACK;
> +}
> +
> static struct xtables_target ct_target_reg[] = {
> {
> .family = NFPROTO_UNSPEC,
> @@ -274,6 +281,19 @@ static struct xtables_target ct_target_reg[] = {
> .x6_parse = ct_parse_v1,
> .x6_options = ct_opts_v1,
> },
> + {
> + .family = NFPROTO_UNSPEC,
> + .name = "NOTRACK",
> + .revision = 0,
> + .real_name = "CT",
> + .real_rev = 1,
> + .version = XTABLES_VERSION,
> + .size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)),
> + .userspacesize = offsetof(struct xt_ct_target_info_v1, ct),
> + .print = ct_print_v1,
> + .save = ct_save_v1,
> + .init = notrack_tg_init,
> + },
We also need to add support for real_rev 0 of the CT target. Just to
make sure that we don't break with old kernels.
I've pulled this and pushed out to the notrack-removal branch of
iptables. The idea would be to fix this issue above and to merge that
that couple of patches once 3.7-rc1 is released.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
